1. Field of the Invention
The invention relates to the field of network processing. Specifically, this invention relates to the optimization of IPsec packet processing through increased parallelism in processing and removing serialized processing bottlenecks.
2. Background
Communication networks and the number of users of such networks continue to increase. On-line sales involving both business-to-business and business to consumer communication over the Internet continues to proliferate. Additionally, the number of people that are telecommuting continues to grow. Both on-line sales and telecommuting are examples of the usage of communication networks that typically involve private and sensitive data that needs to be protected during its transmission across the different communication networks.
Accordingly, security protocols, (e.g., Transport Layer Security (TLS), Secure Sockets Layer (SSL) 3.0, Internet Protocol Security (IPsec), etc.), have been developed to establish secure sessions between remote systems. These security protocols provide a method for remote systems to establish a secure session through message exchange and calculations, thereby allowing sensitive data being transmitted across the different communication networks to have a measure of security and/or untamperability.
These security protocols utilized encryption to protect the content of the messages sent between machines and network devices. In some instances, it is necessary that a network device handling a message decrypt at least a portion of the message in order to process the message, such as determining the message destination. Decryption algorithms often require significant processing resources. This puts a strain on network processor in a network device. A network processor often receives incoming packets from a framer, which is a device that translates an incoming signal over a physical medium into a predefined format or frame.
IPsec is a security framework for Internet Protocol (IP) networking that provides security services, including access control, integrity, authentication, protection against replay, confidentiality and similar services. IPsec utilizes a security association (SA) to implement its services. An SA is a simplex connection that is protected by one or more of the security services. An SA may be established between a pair of hosts, between a host and a security gateway, such as a router, or between a pair of gateways. In a further embodiment, nested or bundled IPsec, IP in IP or similar packet configurations are identified as unsupported configurations and forwarded to an exception port. An SA contains all the information required to execute the security services of a IPsec packet. When created, an SA is assigned a security parameters index (SPI) by a receiving machine. A combination of the SPI and the destination IP addresses uniquely identifies an SA. A receiving host uses this information to determine which SA an incoming IPsec packet belongs to, and thus which algorithms for, decryption and packet processing to apply to the packet. On the transmit side, the host performs a lookup based on the IP header information to find the SA to be used for encryption and packet processing.
IPsec utilizes a sequence number stored in a 32 bit format within each IPsec packet to verify or authenticate decrypted packet data by comparison with a Integrity Check Value encrypted within the packet. IPsec also utilizes the sequence number to track packets of a particular SA that have been processed thereby allowing for anti-replay checks that determine if a packet has been processed and prevent ‘spoofing’ of an IPsec packet by detecting packets whose sequence numbers have already been processed or are outside a defined range or ‘window.’
IPsec packets include a 32 bit sequence number. However, IPsec also supports 64 bit sequence numbers in security associations. Thus, when an IPsec packet is examined to determine its sequence number a conversion is necessary to translate the 32 bit sequence number in the packet into a 64 bit sequence number for processing in connection with a security association.